[foaf-protocols] Fwd: gnome-keyring Storage of trust assertions

Melvin Carvalho melvincarvalho at gmail.com
Wed Dec 8 02:47:44 CET 2010


---------- Forwarded message ----------
From: Stef Walter <stefw at collabora.co.uk>
Date: 7 December 2010 21:46
Subject: gnome-keyring Storage of trust assertions
To: "gnome-keyring-list at gnome.org" <gnome-keyring-list at gnome.org>

Hi all!

I've been doing some work on the storage of trust assertions in
gnome-keyring. These are used to store things like certificate
exceptions (per host), trust anchors, and certificate revocation lists.

I've been implementing the trust assertions rough draft spec [1] with
compatibility for netscape trust objects [2] as well.

libgcr has new functions [3] for looking up whether a certificate
exception exists for a given certificate, and looking up trust anchors
(among other things). These functions use PKCS#11 internally to access
the modules where this data is stored.

The storage takes place in the pkcs11/xdg-store PKCS#11 module.

BTW, I was thinking about signing the files containing the trust
assertions, with a key for each user. But it turns out this has no value
at all if malicious code can just replace the signing key. :S

All the above code in in the trust-store branch of gnome-keyring.



[1] rough draft: http://people.collabora.co.uk/~stefw/trust-assertions.html

[2] https://developer.mozilla.org/en/NSS/PKCS_%2311_Netscape_Trust


gnome-keyring-list mailing list
gnome-keyring-list at gnome.org

More information about the foaf-protocols mailing list